Firefox privacy enhancement renders every off screen canvas white

Some time ago I found a privacy enhancement guide like this one and followed some of the recommendations. One of them was set privacy.resistFingerprinting to true.

Once I toggled the switch there was a dialog asking me if I was interested in enabling additional security measures.

Noticing some changes

reCAPTCHA

After that I continued with my life for about a month where I was no longer able to login to Digitec. The reason was their reCAPTCHA v3 check.

Googles reCAPTCHA v3 does not work well with such a tight which is not nice but a choice they made. However if it is broken they should tell the users instead of letting them solve puzzle after puzzle.

Time zones

The other odd I noticed was the time displayed at RustFests Infobeamer because it was off by an hour. After some debugging I found that the browser had set the timezone to UTC-0.

Background on this website no longer rendered

When updating the page with some slides with Firefox 63 the background was white. My first assumption was: the alpha channel is broken.

Testing that theory with another browser profile revealed a bigger mystery.

What else was changed?

Vaguely remembering that I agreed on some dialog to improve privacy I started searching in about:config. After some time I found the following:

  • app.normandy.user_id;XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    • As of finishing up this article I am not 100% sure this setting is related.
  • javascript.use_us_english_locale
  • extensions.ui.locale.hidden
  • privacy.spoof_english;2
  • privacy.resistFingerprinting;true

For relevance we will take a look at each one of them in reverse order:

privacy.resistFingerprinting

First let's look at some pictures. The colors have to following meaning:

  • Green: cavas element in the DOM directly rendered.
  • Yellow: extracting the finished image data from the green tile and use it with style.backgroundImage = 'url('+ green_canvas.toDataURL('image/png') +')';.
  • Red: use an off-screen canvas element and extract with toDataURL and use as backgroundImage.
  • Violet: reuse the red canvas in the DOM with CSS3 background-image: -moz-element(#canvas_red). I also tried to make it work with -webkit-canvas(canvas_red) however that was removed from Chromium in 2015 already but for some reason search engines still present it as a solution.

Live render in your browser

This option came from the TorBrowser and is documented today.

If you would like to use background images for some fancy background, consider this detection code:

const width = 16;
const height = 16;

const canvas = document.createElement('canvas');
canvas.width = width;
canvas.height = height;

const ctx = canvas.getContext('2d', { alpha: true });
if (!ctx) {
    console.log('canvas not supported');
    return;
}

ctx.globalAlpha = 1.0;
ctx.clearRect(0,0, width, height);

const pixel_0_0 = ctx.getImageData(0, 0, 1, 1).data;
if (pixel_0_0.reduce((base, element) => base || element === 255, false)) {
    console.log('privacy.resistFingerprinting detected');
    // ...
} else {
    // normal mode
}

Comparison Firefox 64.0 default profile

As rendered by Firefox with resistFingerprinting today

Comparison Firefox 64.0 with privacy.resistFingerprinting enabled

As rendered by Firefox with resistFingerprinting today

Comparison Chromium 71

As rendered by Chromium today

privacy.spoof_english

Makes JavaScript return this and also restrict the HTTP headers to en-US:

navigator.language === "en-US"
navigator.languages === Array [ "en-US", "en" ]

extensions.ui.locale.hidden

Hide the language from extensions, I guess since there is no official documentation.

javascript.use_us_english_locale

Turns the JavaScript VM into one with the English locale. This is documented in the bugs 1369330 and 1039069.

app.normandy.user_id

This setting belongs to Mozillas Heartbeat program.

Disabling Heartbeat

  1. open about:config
  2. toggle app.normandy.enabled to false
  3. set app.normandy.user_id to ""

Final words

Security is not a one-time task, it requires a continued effort.

I wish that mozilla will document these options in the future and gives clarity to its users.

Update 2018-12-23

There is some more documentation from mozilla now.

Browser extensions

In the beginning I was searching the strange behaviour on my extensions and the operating system specifics. Cleaning up old extensions was a good thing to do anyways and reducing them to a minimum speeds up the browser.

I am currently recommending:

  • Privacy Badger by EFF Technologists
  • uBlock Origin by Raymond Hill

and please:

More information is available eg. here.

links

social